You’ve no doubt heard the refrain that companies doing business in the U.S. are facing more regulation than ever before. An analysis by libertarian think-tank Mercatus Center would back that up (the U.S. had a nearly 16% increase in the number of regulatory restrictions between 2006 and 2019). But it’s not fair to say that regulation applies equally across the board. MirrorWeb’s Harriet Christie discusses the regulatory picture across three major industries.
RegTech companies perform exactly the function you’d expect; they provide technology used by businesses to manage and enhance regulatory processes in order to achieve and prove compliance. This red-hot sector is growing at a pace of nearly 20% per year and is expected to hit about $22 billion just five years from now, according to projections.
And since the majority of RegTech providers create products for the financial services industry, is it any wonder that the finance sector is one of the most heavily regulated, according to Mercatus data? But finance isn’t the only industry carrying (or expecting to carry) a heavy regulatory burden. Below we’ll look at three other industries that are becoming increasingly regulated as time passes.
One of the difficulties with regulating cybersecurity, and previously a deterrent, is that it is “an industry founded in rulebreaking.” How do you regulate a sector built to protect computer systems, when those levying the threats operate outside of any rulebook and constantly devise new means of breaching the systems they’re targeting? Any regulatory framework can never be truly current; it’s a question of being as up-to-date as possible.
In March 2022, SEC Chairman Gary Gensler proposed rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies. These disclosures are intended to keep investors better informed and include reporting around cybersecurity incidents, plus periodic reporting for updates on previously reported incidents, as well as policies and procedures to identify and manage cyber risk.
The healthcare industry accumulates an enormous amount of sensitive patient data on a daily basis, particularly in a world of increasing virtual consultations. Healthcare organizations are obliged to meet HIPAA’s regulatory requirements, and the use of new and varied communications has made compliance increasingly difficult.
The government has used its discretion in penalizing HIPAA noncompliance occurring in good faith during the Covid-19 public health emergency and beyond. This meant that the provision of telehealth services was relaxed, “allowing providers to deliver care through a broad range of devices and technology platforms.”
While such a reprieve was pragmatic and undoubtedly welcome, compliance officers need to be aware that it’s not a permanent resolution. Although some telehealth flexibilities have become a permanent part of the landscape, others are set to expire, though efforts are ongoing to extend them.
The administration used the pandemic as a time to investigate illicit areas of telehealth, such as telefraud scams that leverage aggressive marketing (e.g. cold-calling patients) or provide fraudulent telemedicine services. Post pandemic emergency, the government will use these findings to prioritize enforcement, with the Department of Justice’s Health Care Fraud Unit explicitly stating that it is “dedicated to rooting out schemes that have exploited the pandemic.”
Following a tumultuous year in the cryptocurrency market, March 2022 saw President Joe Biden sign an executive order that many considered a significant breakthrough for the industry, demonstrating the administration’s acceptance that crypto was indeed worthy of regulation. This is particularly notable, as it comes just a year after Gensler himself likened the industry to the Wild West, deeming it ungovernable.
The government is, however, starting from scratch on crypto, and months down the line, there is still uncertainty around what this regulatory framework will look like. The executive order was essentially a callout to a variety of relevant organizations (from the Treasury to the SEC) to spend time doing their due diligence, before sharing suggestions around how each of its objectives can be met most effectively.
This constructive and collaborative approach gives the best possible opportunity for the uniform application of regulations from one rulebook, as favored by Gensler. This is strengthened by the fact that several states, including California, have begun to follow the federal lead in issuing their own executive orders in a similar vein.
In an increasingly digital, siloed world, RegTech services will continue to proliferate. Trust from consumers must be earned in different ways and is less contingent on smooth-talking executives than on compliance with the appropriate statutes and regulations.
Corporate conduct can now be held to a higher standard due to the abundance of information at regulators’ disposal. Examples like Deutsche Bank’s recent setback show that large corporations are increasingly accountable and that there are less places to hide in the age of information. The level of scrutiny is growing across the board, and so, by extension, is the number of heavily regulated industries. Crypto, healthcare and cybersecurity are likely just the tip of the iceberg.